Hacking IoT Devices: How to Create a Botnet of Refrigerators

DDoS attacks that use botnets made of IoT devices are not just possible—they’re happening.

You see threat lists and news articles that mention the Internet of Things (IoT) getting hacked as a major concern all the time. But what does that mean?

To many people, the entire concept is an abstraction. Some folks still see hacking through a 90’s movie lens where the hacker smashes keys and says stuff like, “I’m tapping into the mainframe.” So, envisioning a scenario where someone could hack a thermostat and do much more than turn on your heat is kind of difficult.

Granted, there are some cases where serious harm could be done—say, for instance, hacking into key systems in someone’s car. But that’s really the tip of the iceberg when it comes to the potential ways someone can wreak havoc by hacking IoT devices.

Today we’re going to talk about one of the more ambitious ways hackers are using hacked IoT devices.

DDoS Attacks and Botnets

As hacking goes, DDoS has become one of the most commonly used attacks there is. Distributed Denial of Service or DDoS, knocks a server or network offline by overloading it with spammy requests and bringing it down. Vince wrote a great in-depth piece on DDoS/DoS attacks last year if you want to learn more, but we’ll cover the basics here.

As the name implies, to pull off a DISTRIBUTED Denial of Service attack you need to distribute your requests across a network of computers. Sending all of the requests from one computer would be logistically impossible and it would also make it easy to block where the requests are coming from.

Instead, you build a botnet. To do this, you infect hundreds, thousands – maybe even millions – of computers with a malware that effectively turns them into a bot. Typically, the computer shows no signs of infection outside of using a little extra bandwidth as the malware lays mostly dormant until the attacker puts the computer to work.

Once the attacker has decided on their target and is ready to begin, the botnet begins to send requests at the server or network that it’s attacking. The volume of the requests (or spam, or whatever is being transmitted) coupled with the number of different sources from which the requests are emanating knocks the server or network offline.

It’s a whole lot more complicated than that when you dig into it, but that’s an abridged version and it should suffice for the rest of this discussion.

A Botnet of Security Cameras and Washing Machines

As we discussed, a botnet is a network of hacked computers. Traditionally building a botnet has involved getting malware on actual computers. And depending on the security practices of that computer’s user, sometimes it was a challenge and other times… not so much.

Nowadays everything is online. Refrigerators can notify you when you’re low on milk. Lights can be turned on and off with phone apps. Security cameras can send live feeds straight to your computer screen. It’s incredible. It’s also glaringly unsecure. The IoT industry seems completely unconcerned with security. And that’s extremely attractive to hackers.

In 2016, Mirai, malware named after a Japanese anime cartoon, made news for its role in several high-profile DDoS attacks—including the Dyn DNS attack that blocked millions of users from high profile sites like Twitter and Netflix.

Mirai primarily targeted IoT devices. It did this by using devices it had already infected to scan the internet for IoT devices. Once it identified its targets, it used a table of over 60 common factory default usernames and passwords to hack into the devices.

Perhaps the most amusing part of all this is the fact that after Mirai infected a device, it would scrub it off any competing malware and then block remote administration ports, which means that in most cases, Mirai – the malware infecting your IoT device – did more to secure the device than its manufacturer.

Frankly, targeting IoT devices makes sense. A botnet army of IoT devices could grow to massive proportions given the ubiquity of those devices and the fact that many people never bother to change their default usernames and passwords. Not to mention, the majority of us aren’t worried about malware-scanning our ‘fridge.

Is Your Refrigerator Running?

If the idea of a bunch of household appliances conducting an act of cyber terrorism is funny to you, you’re not alone. It’s pretty funny to me, too.

But as surreal as it may seem, it’s a legitimate threat. As the IoT continues to evolve, the threats against it will evolve too. Unfortunately, the security for these devices hasn’t been evolving at the same rate. And while there are after-market solutions beginning to emerge, the onus needs to be on the manufacturers to double down on their security efforts.

The Dyn attack may not ring any bells to the average internet user, but it was a big deal. It knocked some of the most prominent websites in the world – Amazon, CNN, BBC, GitHub, PayPal, Spotify and dozens of others – offline by attacking a major DNS provider. You may remember that day last October when everyone in North America lost their collective mind about the internet being down? That was the Dyn attack.

And it was conducted with a botnet of IoT devices. Over the coming months and years, as even more devices come online, these kinds of attacks are only going to get more common.

So the next time your refrigerator is leaking, just remember—it could be doing a lot worse.

Be the first to comment

Author

Hashed Out's Editor-in-Chief started his career as a beat reporter and columnist for the Miami Herald before moving into the cybersecurity industry a few years ago. He also designs the visuals for Hashed Out and serves as the Content Manager for The SSL Store™.